The System File Checker tool, activated with the sfc /scannow command in Command Prompt, is an incredibly useful system repair utility. It scans all the protected system files and replaces corrupted files with a cached copy located in your system. However, when running this command, you may encounter an error message that reads "Windows resource protection could not start the repair service."
This error often occurs due to permission issues or a malfunctioning Windows TrustedInstaller. As such, let's explore how to troubleshoot this error in a few easy steps.
Why is SFC Scannow Not Working?
For the System File Checker to work, Windows TrustedInstaller must be operational. Windows TrustedInstaller is a service that's needed to enable the installation, removal, and modification of Windows updates and other system components.
By default, TrustedInstaller controls the Windows Resource Protection (WRP) tool. WRP protects against unauthorized modifications, including changes to essential system files, folders, and registry keys. It also handles the "sfc /scannow" command that you're trying to use.
As such, when TrustedInstaller malfunctions, other services dependent on it will stop working too. This means both WRP and the System File Checker tool will fail to work properly. While there is no silver bullet solution for this issue, we have listed a few troubleshooting steps you can follow to fix this error.
1. Restart Windows TrustedInstaller (Windows Modules Installer)
If Windows TrustedInstaller is not running or it's malfunctioning, a quick restart of the service can help resolve the error. You can easily restart it from the Windows Service Console. Here’s how to do it.
- Press Win + R to open the Run box.
- Then, type services.msc and click OK to open the Service Console.
- In the Service Console window, locate the Windows Modules Installer.
- Right-click on the service and select Properties.
- In the Properties window that appears, set the Startup type to Manual.
- If the service isn’t running, click the Start button under the Service status section.
- Click Apply and OK to save the changes. Close the Service Console and check if you can run the System File Checker tool without any error.
2. Start TrustedInstaller Using the Command Prompt
If restarting the Windows Modules Installer from the Service Console did not work, you can use Command Prompt to restart the service. Here’s how to do it.
- Type cmd in the Windows search bar. From the search results, right-click on Command Prompt and click on Run as Administrator. Click Yes when prompted by User Account Control.
- In the Command Prompt window, type the following command and hit enter to execute:
sc config trustedinstaller start= auto
- This command will set the Windows Modules Installer service startup type to automatic. Upon successful execution, you will see a ChangeServiceConfig SUCCESS message displayed on the screen.
- Next, enter the following command to restart the TrustedInstaller service:
net start trustedinstaller
- Once successfully executed, run the sfc /scannow command and check if the error is resolved.
3. Run SFC Scannow in Safe Mode
In Safe Mode, Windows starts in a minimal state, loading a limited set of files and drives. Safe Mode is useful to determine if a third-party application or service conflict is causing trouble in your system.
If you think a third-party program is conflicting with the System File Checker tool and triggering the Windows Resource Protection could not start the repair service error, run the sfc /scannow command in Safe Boot mode to verify the problem.
To run System File Checker in Safe Mode:
- Press Win + R to open Run.
- Type msconfig.msc and click OK to open the System Configuration window.
- In the window that appears, open the Boot tab.
- Under Boot options, check the Safe boot option. Then, select the Minimal option.
- Click Apply and OK to save the changes.
- Click the Restart button if you want to restart Safe Mode right away. If not, click Exit without restart, save and close open apps and then restart your PC.
After the restart, your system will boot in Safe mode running only essential Windows services.
Now, open the Command Prompt and run the sfc /scannow command. If the command runs without any error, a third-party application installed on your system is most likely creating conflict with Windows Resource Protection, hence triggering the error.
To disable Safe Boot, launch System Configuration, open the Boot tab and uncheck Safe boot under Boot options. Then, click Apply and Restart your PC.
4. Add a TrustedInstaller Expandable String Value to the Registry Editor
If you don’t mind working with the Windows Registry editor, you can fix this error by adding a new expandable string value to the Registry. That said, incorrect modifications to your registry entries can brick your system, so make sure to create a Windows registry backup before you proceed with the setup.
Additionally, create a system restore point. This will help you undo system-level changes and restore your PC to its working state. Once you have the backup in place, follow these steps.
This process involves finding the TrustedInstaller ID, sub-folder name, and creating a new Expandable String value in the Registry Editor. We have split the steps into two parts for easier understanding.
4.1 Find TrustedInstaller ID and Sub-folder Name in File Explorer
- Press Win + E to open File Explorer and navigate to the following location:
C:\Windows\Servicing\Version
- You will see a folder named something like 10.0.19041.1XXX. This is your TrustedInstaller ID. Copy the ID/name to your clipboard or paste it into a Notepad document as you will use it moving on.
- Next, navigate to the following location:
C:\Windows\WinSxS
- Here, depending on the CPU you are using, locate one of these subfolders.
x86_microsoft-windows-servicingstack_31bf3856ad364e35_{TrustedInstaller ID} (32bit Windows)
amd64_microsoft-windows-servicingstack_31bf3856ad364e35_{TrustedInstaller ID} (64bit Windows) - In the above subfolder name, {TrustedInstaller ID} is the folder name you noted in step 2.
- Copy the folder name and path to a Notepad file as well.
4.2 Create Expandable String Value in Registry Editor
Now that you have the required information, it's time to create an Expandable String value in the Registry Editor. Here’s how to do it.
- Press the Win + R to open Run.
- Type regedit and click OK to open the Registry Editor.
- In the Registry Editor, navigate to the following location. You can copy and paste the path in the Registry Editor address bar for quick navigation:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Version
- Select and right-click on the Versions subkey. Choose New > Expandable String Value.
- Rename the value to match your TrustedInstaller ID name. After renaming the value, it will look something like this:
10.0.19041.1XXX
- Then double-click on the newly created value and paste the path of the folder identified in WinSxS in the Value data field. It will look something like this:
%SystemRoot%\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1XXX_none_7e3d47227c694b34
- Make sure to properly use %SystemRoot% and trim C:\Windows from the folder path.
- Click OK to save the changes.
If you see the Error creating value message when adding a subkey or string value, you must take ownership of the Component Based Servicing key. You can manually take ownership of the key or use an automated tool to do it.
How to Take Registry Key Ownership
- In the Registry Editor, right-click on the Component Based Servicing and select Permissions.
- In the Permissions window, click the Advanced button in the Security tab.
- The Owner, by default, is set to TrustedInstaller. Click on the Change link.
- Type your username and click on Check names. Click OK to save the changes.
- Check the Replace owner on sub containers and objects box and click Apply to changes.
After changing the ownership, you can modify the registry keys to add new values and subkeys without any error.
Fixing the Sfc /Scannow Windows Resource Protection Error, Made Easy
One of these four fixes will allow you to fix the Windows Resource Protection error and execute the Sfc /scannow command. In most cases, you can fix this problem by tweaking the registry entries. However, if nothing works, try a restore point or reset your system to factory default.
0 Comments